%backup authentication error , can not login with telnet after set window server 2008 R2 radius serv...

martlee2 · ‎03-01-2015

following from

http://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/

network policy i set user group as Domain Computers

when run 3550

1. can not use command "crypto key generate rsa"

2. can not use command "ip ssh version 2"

a. when using aaa, is it needed to use ssh?

b. how to login successfully with aaa?

c. is radius-server key to use window server 2008 administrator's password, if not, what is its password

conf t
aaa new-model
username radiusclient secret cisco
line vty 0 4
transport input telnet
exit
line vty 5 15
transport input telnet
exit
ip domain-name radius1.local
radius-server host 192.168.38.213
radius-server key IsItWindowServer2008Password?
aaa group server radius NPSSERVER
server 192.168.38.213
exit
aaa authentication login default group NPSSERVER local
aaa authorization exec default group NPSSERVER local
exit

Kanwaljeet Singh · ‎03-01-2015

Hi,

You would need to configure the command under line vty : "login authentication default "and your request for telnet would be authenticated against the radius server.

line vty 0 4
login authentication default
transport input telnet

Please have a look at the link below for details about the configuration:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swauthen.html#wp1044243

Regards,

Kanwal

Note: Please mark answers if they are helpful.

martlee2 · ‎03-05-2015

let me try again tonight

Kanwaljeet Singh · ‎03-05-2015

Hi,

Can we see what is the reason for access denied on the RADIUS server logs? That should give us a reason for the rejection.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

martlee2 · ‎03-06-2015

https://drive.google.com/file/d/0B2PgRKgeBo5ZVGZNT1pVblRJY0U/view?usp=sharing

here is the log

router1#debug aaa accounting
AAA Accounting debugging is on
router1#
*Mar 6 23:26:10.563: AAA/ACCT/EVENT/(00000006): CALL START
*Mar 6 23:26:10.563: Getting session id for NET(00000006) : db=66D14C78
*Mar 6 23:26:10.563: AAA/ACCT(00000000): add node, session 4
*Mar 6 23:26:10.567: AAA/ACCT/NET(00000006): add, count 1
*Mar 6 23:26:10.567: Getting session id for NONE(00000006) : db=66D14C78
router1#
*Mar 6 23:26:18.627: Getting session id for EXEC(00000006) : db=66D14C78

router1#debug aaa authentication
AAA Authentication debugging is on
router1#
*Mar 6 23:53:04.123: Getting session id for EXEC(0000000B) : db=66BB7588
router1#
*Mar 6 23:53:06.151: AAA/ACCT/EVENT/(0000000B): EXEC DOWN
router1#
*Mar 6 23:53:08.159: AAA/ACCT/EVENT/(0000000B): CALL STOP
*Mar 6 23:53:08.159: AAA/ACCT/CALL STOP(0000000B): Sending stop requests
*Mar 6 23:53:08.159: AAA/ACCT(0000000B): Send all stops
*Mar 6 23:53:08.159: AAA/ACCT/NET(0000000B): STOP
*Mar 6 23:53:08.163: AAA/ACCT/NET(0000000B): Method list not found
*Mar 6 23:53:08.163: AAA/ACCT(0000000B): del node, session 9
*Mar 6 23:53:08.163: AAA/ACCT/NET(0000000B): free_rec, count 0
*Mar 6 23:53:08.163: AAA/ACCT/NET(0000000B) reccnt 0, csr TRUE, osr 0
*Mar 6 23:53:08.167: AAA/ACCT/NET(0000000B): Last rec in db, intf not enqueued
router1#

6273 event id in security log

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: rra

Account Domain: RADIUS1

Fully Qualified Account Name: RADIUS1\rra

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: -

Calling Station Identifier: 192.168.2.5

NAS:

NAS IPv4 Address: 192.168.2.1

NAS IPv6 Address: -

NAS Identifier: -

NAS Port-Type: Virtual

NAS Port: 2

RADIUS Client:

Client Friendly Name: rra

Client IP Address: 192.168.2.1

Authentication Details:

Proxy Policy Name: Use Windows authentication for all users

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: WIN-928S1R8NPBE.radius1.local

Authentication Type: PAP

EAP Type: -

Account Session Identifier: -

Reason Code: 16

Reason: Authentication was not successful because an unknown user name or incorrect password was used.

martlee2 · ‎03-06-2015

in real environment using 3550 to login

no log in security log

but has log in system

A RADIUS message was received from RADIUS client 192.168.3.111 with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.

then i try again

still is backup authentication error

whole security log is empty in window server 2008 R2 in virtual machine in production environment, not GNS3

Kanwaljeet Singh · ‎03-01-2015

Hi,

Actually i tried here in my lab and i am able to authenticate successfully without that command as well. What is the failure reason you are getting on radius?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Kanwaljeet Singh · ‎03-01-2015

Hi,

To answer your question-

No aaa is not just for SSH.

Radius-key should be same on router as well as on your radius server while you create the device in there. It has nothing to do with windows admin password.

The above configuration looks fine. We need to see why your request is being denied by Radius.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

%backup authentication error , can not login with telnet after set window server 2008 R2 radius server

6273 event id in security log